3

I ask this with the default install of FreeBSD in mind. It has no network services activated and also no firewall installed. This is unlike many linux distributions which typically configure a basic firewall but also have limited network services, for instance sshd, listening.

If there are no services binding any network ports, it seems that there wouldn't be much of anything for a firewall to do. (Assuming trust of outbound traffic, which is typical for aforementioned firewall configurations installed by default in many linux distros).

I'm specifically asking about bsd/linux systems only, excluding osx.

hotkarl
  • 165
  • 2
  • 10
  • Suppose a network service gets started later? – Michael Hampton Dec 15 '16 at 20:28
  • Then it would obviously be wise to consider firewalling it off. – hotkarl Dec 15 '16 at 20:30
  • No service listening, but does it got an IP ? For me BSD is the reference for a well integrated network stack and firewall. Thus I don't see what you gain by removing it. – yagmoth555 Dec 15 '16 at 20:33
  • yagmoth555: Thanks. I wasn't interested in removing it; just wondering if maybe it wasn't necessary w/o anything listening since FreeBSD doesn't install one by default, despite having two very nice firewalls, pf and ipfw, available. – hotkarl Dec 16 '16 at 01:52

2 Answers2

3

Short answer: Yes it does!

Let's assume that no other services will ever get started by accident and that you won't suddenly realise you need a service running in a hurry and then wish you already had the firewall set up appropriately :-)

Although less likely on FreeBSD perhaps, it is possible that applications can sometimes open up ports temporarily. If no firewall is present, these will pop up.

FreeBSD will respond to hosts even if there are no services running. It may respond to ICMP echo requests (pings), and it will also respond when a host tries to connect to a port (or pretends to try to connect to a port), to let the host know that the port is closed.

These responses will let attackers know that the box is there, and unfirewalled. That is a certainty, and easy for attackers to do.

Slightly less easy, is that it will also likely respond in such a way as to allow attackers to determine that it is running FreeBSD.

Other issue is that FreeBSD is having some level of interaction in order to tell the other systems that its ports are closed. In that case, there is the possibility of an exploit whereby a maliciously crafted packet could have an adverse affect on the system, causing a crash or other issue. Although there are not known vulnerabilities of this type for the latest FreeBSD, it is still another reason to have a firewall.

Another problem, is that attackers can spoof their source IP and send the types of requests mentioned above to your box, but with a spoofed source IP address. In that case the FreeBSD box will respond to the spoofed source IP address, rather than to the attacker. So then, whoever is at the spoofed IP will wonder why your FreeBSD box is sending responses to it.

Anyway, you have three choices of firewall in FreeBSD. pf, ipfilter or ipfw. I'm sure with a couple of simple rules to block all inbound traffic (except that which is related to requests originating from the FreeBSD box itself) will suffice to protect you from all of the issues mentioned above.

Ask another question if you want to know which of the above 3 is best, or how to set up one of the above 3 with the correct rules, as I am more familiar with Linux ;-) Although I have heard that pf is good, and not heard much about the others.

https://www.freebsd.org/doc/en/articles/linux-users/firewall.html

bao7uo
  • 1,714
  • 14
  • 24
1

Does a system with no running network services need a firewall?

Yes.

If a system has a network address, then packets can route to it. The kernel processes packets, even if there are no application sockets open. There have been plenty of kernel vulnerabilities that allow crashing systems and some that even allow making changes to the system or changing system behavior via kernel bugs.

If the system is used by a person that will be opening applications that talk outbound on the network, there may be ephemeral listener ports that are open that may introduce application level vulnerabilities. While the intent is only for outbound communications, the applications may open up sockets that permit inbound connectivity, even if only temporarily.

Aaron
  • 2,859